Corvil is highlighting that network forensics intelligence - especially user-centric intelligence - is a critical cyber defence weapon for remediating issues before they escalate and avoiding future attacks.

Network forensics intelligence

In today’s sophisticated and evolving cyber threat landscape, research shows the odds are stacked against businesses with a staggering one in four chances of having a breach. Increasingly, hacker-controlled machines inside the perimeter are accounting for the overwhelming majority of attacks. Attackers are not only infiltrating the corporate network, according to new Verizon research, as much as 68 percent remain undiscovered for months.

Even when overburdened security teams detect suspicious behaviour, the investigation process is arduous and often inconclusive

Even when overburdened security teams detect suspicious behaviour, the investigation process is arduous and often inconclusive. Security teams often lack the context and data dimensions to identify the source systems and accounts used in the account, the data read or exfiltrated, and the additional footholds left behind. Further, with the increase in data privacy regulations and requirements for prompt breach notification, Security teams are under added pressure to provider greater oversight, controls and to shorten investigation and impact determination timeframes.

Traditionally, digital forensics is enlisted after an incident, such as Facebook’s recent appointment of cybersecurity firm Stroz Friedberg to investigate the Cambridge Analytica data breach storm which has wiped almost $37 billion off its market value. It is at this stage that many organisations discover their available data sources are shallow, fragmented and incapable of providing timely answers to queries. However, in this climate of increasing regulation, while likelihood of an attack is high, certainty of engagement by internal auditors or regulators is absolute. This requires Security teams to assume a posture of having answers for questions that have not yet been asked about behaviours of users, devices, and applications.

Corvil, believes deep network forensics, incorporating user, host, and communication payload analysis is a critical step for gaining transparency

Deep network forensics

Corvil, believes deep network forensics, incorporating user, host, and communication payload analysis is a critical step for gaining transparency into the ‘Black Box’ of what is happening across a network or of an attack. Continuously monitoring, gathering and examining “evidence” to utilise as a remediation tool can significantly bolster security teams’ incident response preparedness and ability to respond to internal and external compliance teams.

When reputation, and sometimes existence, are at stake, the speed with which an organisation can recognise, analyse, and respond to an incident will limit the damage and ultimately lower the cost of recovery,” says David Murray, Corvil Chief Marketing and Business Development Officer. “Insights derived from granular visibility enable security teams to rapidly investigate, isolate and identify remediations for vulnerabilities to reduce the impact of an incident and prevent future incidents. By accelerating investigation and response times, firms gain an enormous advantage over attackers.

The stakes are high for breached businesses as illustrated by Health insurer Anthem Inc. who settled a record $115 million lawsuit for a breach that affected 78.8 million people. Corvil believes with incoming EU General Data Protection Regulation (GDPR), that stipulates breach fines of up to four percent of global annual turnover and a seventy-two-hour breach notification rules, firms need to radically rethink security priorities.

Unfortunately, breaches are an inevitable consequence of digital business"

Network traffic analysis

Unfortunately, breaches are an inevitable consequence of digital business. Network forensics that correlates user, host, and application activity is a critical capability to enable effective hunting of cybercriminals within an environment. Remediation technology and integration with the wider cyber-protection ecosystem is equally as important in planning and implementing an effective risk, compliance, and cybersecurity fabric,” concludes Murray.

Corvil recently launched user-centric network traffic analysis for accelerated insider threat detection and response. The solution automatically provides security analysts with a unified view of user identity, host and network activity in one system.

Download PDF version

In case you missed it

Questioning the wisdom of the U.S. ban on Hikvision & Dahua
Questioning the wisdom of the U.S. ban on Hikvision & Dahua

I have been thinking a lot about the U.S. government’s ban on video surveillance technologies by Hikvision and Dahua. In general, I question the wisdom and logic of the ban and am frankly puzzled as to how it came to be. Allow me to elaborate. Chinese camera manufacturers Reality check: the government ban is based on concerns about the potential misuse of cameras, not actual misuse. Before the government ban, you occasionally heard about some government entities deciding not to use cameras manufactured by Chinese companies, although the reasons were mostly “in an abundance of caution.”  Even so, I find the targeting of two Chinese companies – three if you count Hytera Communications, a mobile radio manufacturer – in a huge government military spending bill to be a little puzzling. I can’t quite picture how these specific companies got on Congress’s radar. The government ban is based on concerns about the potential misuse of cameras, not actual misuse What level of lobbying or backroom dealing was involved in getting the ban introduced (by a Missouri congresswoman) into the House version of the bill? And after the ban was left out of the Senate version, was there a new wave of discussions to ensure it was included in the joint House-Senate version (with some minor changes, and who negotiated those?). It all seems a little random. Concerns for the U.S. Furthermore, the U.S. ban solves neither of the two main concerns that are generally used as its justification: Concern: Cybersecurity. The U.S. ban “solves” the issue of cybersecurity only if both of the following statements are true. No security system that uses a Hikvision or Dahua camera or other component is cybersecure. Any system that does not use a Hikvision or Dahua camera or other component is cybersecure. What level of lobbying or backroom dealing was involved in getting the ban introduced into the House version of the bill? The ban ignores the breadth and complexity of cybersecurity and instead offers up two companies as scapegoats. Our industry has sought to address cybersecurity, and the one principle that has guided that effort is that cybersecurity is an issue that must be addressed by manufacturers, consultants, integrators and end users – in effect, everyone in the industry. Cybersecurity does not begin and end with the manufacturer and banning any manufacturers from the market does not ensure better cybersecurity.  Concern: “Untrustworthy” Chinese companies. Hikvision and Dahua are only two Chinese companies. Any response to concerns about whether Chinese companies are trustworthy would need to cover many more companies that manufacture their products in China. Australian TV recently claimed that “all Chinese companies pose a risk. Because of Chinese laws, there is a requirement for companies to be engaged in espionage on behalf of the state.” Even if one embraces that extreme view, the logic fails when only two companies are targeted. One source told me that 60 to 65 percent of the global supply of commercial video cameras are manufactured in China, so it’s a much bigger issue than two companies.The Chinese government has much more effective ways of conducting espionage than exploiting security cameras And is U.S. security at risk unless or until it is cut off from more than half of the world’s supply of video cameras? Even Western camera companies manufacture some of their cameras and/or components in China. Why name only two (or three) companies, only one of which has ties to the Chinese government? If the goal of the U.S. ban was to address the possibility of cybersecurity and/or espionage by the Chinese government, shouldn’t there be other companies and product categories included? Clearly, video surveillance is not the only category that has the potential for abuse. The Chinese government has much more effective ways of conducting espionage than exploiting security cameras. Global response to U.S. ban And now that the U.S. ban has been passed, how is the ban being misused to justify a new level of alarm about Chinese companies? Australian television effortlessly made the leap from “software backdoors” to a concerted and organised effort by the Chinese government to use cameras to be the “number one country for espionage.” And it’s not just about government facilities: “Even on the street, [cameras] have the potential to inadvertently contribute toward Chinese espionage activity by providing real-time information about the situation on the ground,” says the Australian TV report. If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies? If all Chinese companies pose a risk, why is the U.S. government targeting specific companies rather than all Chinese companies, or at least those with electronics or computer products that could be used for espionage? What about the espionage potential of the 70% of mobile phones that are made in China? What about other consumer electronics such as PCs or smart TVs? How many government facilities that are eliminating Dahua and Hikvision cameras have employees who use iPhones or use other electronic equipment from China? Artificial intelligence & IP-over-coax Also, consider the impact of the ban on business. Hikvision and Dahua have had many successes in the video surveillance market, including in the U.S. market. They have added value to many integrators and end user customers. They have been on the forefront of important trends such as artificial intelligence and IP-over-coax. And, yes, they have made technologies available at lower prices.Cybersecurity issues have plagued several companies in the industry, not just Hikvision and Dahua Cybersecurity issues have plagued several companies in the industry, not just these two, and both Hikvision and Dahua have worked to fix past problems, and to raise awareness of cybersecurity concerns in general. Is a U.S. ban on two companies an appropriate response to a series of geo-political concerns that are much bigger than those two companies (and bigger than our entire market)? Should two companies take the brunt of the anti-Chinese backlash? Video surveillance cameras Is the video surveillance market as a whole better or worse for the presence of Hikvision and Dahua? Is it up to the U.S. government to make that call? In some ways, thoughts of Chinese espionage are a sign of these uncertain political times. Fear of video surveillance is perfectly congruent with long-standing anxieties about “Big Brother;” suspicion about China taking over our video cameras just rings true at a time when Russia is (supposedly) controlling our elections. But should two companies be targeted while broader concerns are shrugged off?

8 tips for visiting a large security trade show
8 tips for visiting a large security trade show

Security trade fairs can be daunting for attendees. At big shows like IFSEC International and Security Essen, there can be hundreds of physical security manufacturers and dealers vying for your attention. Stands are sometimes spread out across multiple halls, often accompanied by a baffling floor plan. As the scope of physical security expands from video surveillance and access control to include smart building integrations, cyber security and the Internet of Things (IoT), there is an increasing amount of information to take in from education sessions and panels. Here, SourceSecurity.com presents eight hints and tips for visitors to make the most out of trade shows: 1. Outline your objectives. As the famous saying goes, “Failing to plan is planning to fail!” Before you plan anything else, ensure you know what you need to achieve at the show. By clearly noting your objectives, you will be able to divide your time at the show appropriately, and carefully choose who you speak to. If there is a particular project your organisation is working on, search out the products and solutions that address your security challenges. If you are a security professional aiming to keep up with the latest trends and technologies, then networking sessions and seminars may be more appropriate. 2. Bring a standard list of questions Prepare a list of specific questions that will tell you if a product, solution or potential partner will help you meet your objectives. By asking the same questions to each exhibitor you speak to, you will be able to take notes and compare their offerings side by side at the end of the day. This also means you won’t get bogged down in details that are irrelevant to your goals. Most trade fair websites provide the option to filter exhibitors by their product category  3. Do your homework Once you know your objectives, you can start to research who is exhibiting and decide who you want to talk to. Lists of exhibitors can be daunting, and don’t always show you which manufacturers meet your needs. Luckily, most trade fair websites provide the option to filter exhibitors by their product category. Many exhibitions also offer a downloadable floor plan, grouping exhibitors by product category or by relevant vertical market.  It may be easier to download the floor plan to your phone/tablet or even print it out, if you don’t want to carry around a weighty map or show-guide. 4. Make a schedule Once you have shortlisted the companies you need to see, you can make a schedule that reflects your priorities. Even if you are not booking fixed meetings, a schedule will allow you to effectively manage your time, ensuring you make time for the exhibitors you can’t afford to miss. If the trade show spans several days, aim to have your most important conversations early on day one. By the time the last afternoon of the show comes around, many companies are already packing up their stand and preparing to head home. When scheduling fixed meetings, keep the floor plan at hand to avoid booking consecutive meetings at opposite ends of the venue. This will ensure you can walk calmly between stands and don’t arrive at an important meeting feeling flustered! Look for panels and seminars which address the specific needs of your project, or which will contribute to your professional growth 5. Make time for learning If you’re on a mission to expand your knowledge in a given area, check the event guide beforehand to note any education sessions you may want to attend. Look for panels and seminars which address the specific needs of your project, or which will contribute to your professional growth. This is one of the best opportunities you will have to learn from industry leaders in the field. Be sure to plan your attendance in advance so you can schedule the rest of your day accordingly. 6. Keep a record Armed with your objectives and list of questions, you will want to make a note of exhibitors’ responses to help you come to an informed decision. If you’re relying on an electronic device such as a smartphone or tablet to take notes, you may like to consider bringing a back-up notepad and pen, so you can continue to take notes if your battery fails. Your record does not have to be confined to written bullet points. Photos and videos are great tools remind you what you saw at the show, and they may pick up details that you weren’t able to describe in your notes. Most mobile devices can take photos – and images don’t need to be high quality if they’re just to refresh your memory. 7. Network – but don’t let small talk rule the day It may be tempting to take advantage of this time away from the office to talk about anything but business! While small talk can be helpful for building strong professional relationships, remember to keep your list of questions at hand so you can always bring conversations back to your key objectives. Keeping these goals in mind will also help you avoid being swayed by any unhelpful marketing-speak. It may seem obvious, but don’t forget to exchange business cards with everyone you speak to, or even take the opportunity to connect via LinkedIn. Even if something doesn’t seem relevant now, these contacts may be useful in future. Have a dedicated section in your bag or briefcase for business cards to avoid rummaging around. With your most important conversations planned carefully, there should be time left to explore the show more freely 8. Schedule time for wandering With your most important conversations planned carefully, there should be time left to explore the show more freely. Allowing dedicated time to wander will give you a welcome break from more pressing conversations, and may throw up a welcome surprise in the form of a smaller company or new technology you weren’t aware of.  Security trade fair checklist: Photo identification: As well as your event pass, some events require photo identification for entry. Notebook and pen: By writing as you go, you will be able to compare notes at the end of the day. Mobile device: Photos and videos are great tools to remind you what you saw at the show, and may pick up details you missed in your notes. Paper schedule & floor plan: In case batteries or network service fail. Business cards: Have a dedicated pouch or pocket for these to avoid rummaging at the bottom of a bag. Comfortable shoes: If you’re spending a whole day at an event, and plan on visiting multiple booths, comfortable shoes are a must!

How artificial intelligence (AI) is changing video surveillance today
How artificial intelligence (AI) is changing video surveillance today

There’s a lot of excitement around artificial intelligence (AI) today – and rightly so. AI is shifting the modern landscape of security and surveillance and dramatically changing the way users interact with their security systems. But with all the talk of AI’s potential, you might be wondering: what problems does AI help solve today? The need for AI The fact is, today there are too many cameras and too much recorded video for security operators to keep pace with. On top of that, people have short attention spans. AI is a technology that doesn’t get bored and can analyse more video data than humans ever possibly could.AI is a technology that doesn’t get bored and can analyse more video data than humans ever possibly could It is designed to bring the most important events and insight to users’ attention, freeing them to do what they do best: make critical decisions. There are two areas where AI can have a significant impact on video surveillance today: search and focus of attention. Faster search Imagine using the internet today without a search engine. You would have to search through one webpage at a time, combing through all its contents, line-by-line, to hopefully find what you’re looking for. That is what most video surveillance search is like today: security operators scan hours of video from one camera at a time in the hope that they’ll find the critical event they need to investigate further. That’s where artificial intelligence comes in. The ability of AI to reduce hours of work to mere minutes is especially significant when we think about the gradual decline in human attention spans With AI, companies such as Avigilon are developing technologies that are designed to make video search as easy as searching the internet. Tools like Avigilon Appearance Search™ technology – a sophisticated deep learning AI video search engine – help operators quickly locate a specific person or vehicle of interest across all cameras within a site. When a security operator is provided with physical descriptions of a person involved in an event, this technology allows them to initiate a search by simply selecting certain descriptors, such as gender or clothing colour. During critical investigations, such as in the case of a missing or suspicious person, this technology is particularly helpful as it can use those descriptions to search for a person and, within seconds, find them across an entire site. Focused attention           The ability of AI to reduce hours of work to mere minutes is especially significant when we think about the gradual decline in human attention spans. Consider all the information a person is presented with on a given day. They don’t necessarily pay attention to everything because most of that information is irrelevant. Instead, they prioritise what is and is not important, often focusing only on information or events that are surprising or unusual. Security operators scan hours of video from one camera at a time in the hope that they’ll find the critical event they need to investigate further Now, consider how much information a security operator who watches tens, if not hundreds or thousands of surveillance cameras, is presented with daily. After just twenty minutes, their attention span significantly decreases, meaning most of that video is never watched and critical information may go undetected. By taking over the task of "watching" security video, AI technology can help focus operators’ attention on events that may need further investigation. As AI technology evolves, the rich metadata captured in surveillance video will add even more relevance to what operators are seeing For instance, technology like Avigilon™ Unusual Motion (UMD) uses AI to continuously learn what typical activity in a scene looks like and then detect and flag unusual events, adding a new level of automation to surveillance. This helps save time during an investigation by allowing operators to quickly search through large amounts of recorded video faster, automatically focusing their attention on the atypical events that may need further investigation, enabling them to more effectively answer the critical questions of who, what, where and when. As AI technology evolves, the rich metadata captured in surveillance video – like clothing colour, age or gender – will add even more relevance to what operators are seeing. This means that in addition to detecting unusual activities based on motion, this technology has the potential to guide operators’ attention to other “unusual” data that will help them more accurately verify and respond to a security event. The key to advanced security When integrated throughout a security system, AI technology has the potential to dramatically change security operations There’s no denying it, the role of AI in security today is transformative. AI-powered video management software is helping to reduce the amount of time spent on surveillance, making security operators more efficient and effective at their jobs. By removing the need to constantly watch video screens and automating the “detection” function of surveillance, AI technology allows operators to focus on what they do best: verifying and acting on critical events. This not only expedites forensic investigations but enables real-time event response, as well. When integrated throughout a security system, AI technology has the potential to dramatically change security operations. Just as high-definition imaging has become a quintessential feature of today’s surveillance cameras, the tremendous value of AI technology has positioned it as a core component of security systems today, and in the future.